Cryptography is the science of securing data. Various mechanisms have been proposed to accomplish this purpose and to defend against attacks on the security and privacy of electronic transmissions over communication channels. The most commonly used algorithms encrypt data according to a key that is known only to the sender and receiver of the transmission. These are called symmetric key algorithms, in that both the sender and the receiver share the same key, which must be kept secret. Several symmetric key algorithms are well known, perhaps the most notable among them being the Data Encryption Standard (DES) algorithm sponsored by the National Institute of Standards and Technology, and described by Schneier in Applied Cryptography, John Wiley and Sons (second edition, 1996). Because a symmetric algorithm's encryption key must be kept secret, the key is often distributed using public key cryptography. Public key cryptography was first proposed by Diffie and Hellman (“New Directions in Cryptography,” IEEE Trans. Information Theory, vol. IT-22, no. 6, pp. 644-654, November 1976). Other public key algorithms are well known, including, for example, the RSA algorithm, as described by Rivest, Shamir, and Adelman (“A Method for Obtaining Digital Signatures and Public Key Cryptosystems,” Comm. of the ACM, vol. 21. no. 2, pp. 120-126, February 1978) and the elliptic curve cryptosystem, as described by Koblitz (“Elliptic Curve Cryptosystems,” Mathematics of Computation, vol. 48, no. 177, pp. 203-209, 1987) and by Miller (“Use of Elliptic Curves in Cryptography,” Advances in Cryptology—Crypto '85 Proceedings, Springer-Verlag, pp. 417-426, 1986).
In public key cryptography, which employs an asymmetric algorithm, each user has a public key, which may be published and widely known, and a private key, which must be kept secret. The efficacy of public key cryptography follows from the difficulty of deriving a private key from its associated public key.
As mentioned above, an important application of public key cryptography is the distribution of symmetric encryption keys. Symmetric encryption keys that are distributed with the help of public key cryptography can be trusted to be secure and valid if all the protections are implemented and executed properly. Nevertheless, a question arises as to whether the public keys themselves can be trusted. For example, a party that publishes a public key may not in fact have possession of a corresponding private key, or the published public key may be corrupted or invalid. Encrypting sensitive data such as a symmetric encryption key using a somehow-bogus public key may result in a loss of privacy and diminished security.
Consequently, it has become important to authenticate public keys before using them, in order to ensure that public keys belong to legitimate parties. Authorities that can be trusted to do this have been set up. These authorities verify that public keys are correct and that they in fact belong to the parties claiming their ownership. Such an authority is often called a Certification Authority (CA). A CA validates a public key by issuing a certificate, which the CA signs using its own private key. A recipient of a signed certificate may then authenticate the certificate using the CAs public key to verify the signature.
This CA-based solution is often called a Public Key Infrastructure (PKI). A PKI includes the CAs, parent CAs capable of authenticating other CAs, and finally a root CA, which ultimately must be trusted, to authenticate the parent CAs. The various CAs and other parties that are part of the PKI act together according to agreed protocols and procedures. For example, ITU-T Recommendation X.509 (Information Technology—Open Systems Interconnection—The Directory: Authentication Framework, June 1997) is a widely accepted PKI standard that defines data formats and procedures pertaining to the distribution of public keys via public key certificates that are digitally signed by CAs.
Unfortunately, despite its many benefits, an X.509 PKI requires a massive and expensive infrastructure with complex operations. Thus there is a need for an alternative to the X.509 PKI that provides the same benefits but demands less in the way of bandwidth, storage, and complexity.